diff --git a/clusters/csvd-dev-mcm/main.tf b/clusters/csvd-dev-mcm/main.tf index 1ce382f..67242d3 100644 --- a/clusters/csvd-dev-mcm/main.tf +++ b/clusters/csvd-dev-mcm/main.tf @@ -31,9 +31,9 @@ module "eks_deployment" { vpc_domain_name = "dev.inf.csp1.census.gov" vpc_name = "vpc3-inf-dev" tags = { - Owner = "matthew.c.morgan@census.gov" - Environment = "development" - CostAllocation = "census:ocio:csvd" + Owner = "matthew.c.morgan@census.gov" + Environment = "development" + CostAllocation = "census:ocio:csvd" } organization = "census:ocio:csvd" } diff --git a/defaults.tf b/defaults.tf index a550dbe..215f0a4 100644 --- a/defaults.tf +++ b/defaults.tf @@ -5,10 +5,11 @@ locals { # Dynamic AWS profile generation aws_profile = "${var.cluster_config.account_name}-${var.cluster_config.environment_abbr}" - # Static template values (hidden from users) + # template_repo is null — all generated-repo content is managed via managed_extra_files. + # template-eks-cluster is a human reference only; it has no automation role. repository_defaults = { - template = "template-eks-cluster" - template_owner = "SCT-Engineering" + template = null + template_owner = null } # Static EKS configuration for Karpenter bootstrap node group diff --git a/docs/adr/0001-generated-file-source-of-truth.md b/docs/adr/0001-generated-file-source-of-truth.md new file mode 100644 index 0000000..5e35209 --- /dev/null +++ b/docs/adr/0001-generated-file-source-of-truth.md @@ -0,0 +1,134 @@ +# ADR 0001: All Generated Cluster Repository Files Must Be Versioned in terraform-eks-deployment + +**Date:** 2026-04-20 +**Status:** Proposed +**Deciders:** arnol377, morga471 + +--- + +## Context + +The EKS Cluster Automation (ECA) system generates new EKS cluster repositories by running +`terraform apply` inside a CodeBuild project (`eks-terragrunt-repo-creator`). The build +checks out a pinned commit of `terraform-eks-deployment` (via `REPO_BRANCH` in `buildspec.yml`) +and applies it, which calls `CSVD/terraform-github-repo` to create the GitHub repo and +commit all generated files via `managed_extra_files`. + +The files written into a generated cluster repo fall into two categories: + +1. **Rendered config files** — `_envcommon/default-versions.hcl`, `_envcommon/common-variables.hcl`, + `account.hcl`, `region.hcl`, `vpc.hcl`, `cluster.hcl` — rendered from Go templates + (`*.tf.tpl`) committed inside `terraform-eks-deployment/templates/`. + +2. **Terragrunt module entrypoints** — `eks/terragrunt.hcl`, `eks-config/terragrunt.hcl`, + `eks-dns/terragrunt.hcl`, and all other `eks-*/terragrunt.hcl` files — one per + Terragrunt module in the cluster's run-all graph. + +Historically, the second category was provided by cloning `template-eks-cluster` as a +GitHub repo template. The template contained placeholder directory paths +(`environment/region/vpc/cluster/eks-*/`) that were supposed to be renamed to real computed +paths after clone. That renaming was never implemented, producing broken repos with literal +`environment/region/vpc/cluster` in all paths. + +PR #16 (`test_cluster` → `main`) correctly eliminates the GitHub template feature +(`template_repo = null`) but proposes reading the `eks-*/terragrunt.hcl` files live from +`template-eks-cluster:main` at Terraform plan time via `data.github_repository_file`. + +This ADR records the decision about where those files should live and why. + +--- + +## Decision + +We will commit all `eks-*/terragrunt.hcl` template files directly into +`terraform-eks-deployment/templates/eks-modules/` and write them into generated repos +via `managed_extra_files`, alongside the existing rendered config files. + +The `template-eks-cluster` GitHub repo will no longer be used as a source of file content +in the automation path. The GitHub template feature (`template_repo`) will remain `null`. + +--- + +## Alternatives Considered + +### Option A: Read eks-module files live from `template-eks-cluster` at plan time (PR #16 approach) + +`data.github_repository_file` datasources fetch each `eks-*/terragrunt.hcl` from +`template-eks-cluster:main` during `terraform plan`. They are passed into +`managed_extra_files` alongside the rendered config files. + +**Rejected because:** + +- **Internal consistency cannot be guaranteed.** The rendered config files + (`_envcommon/default-versions.hcl`, `_envcommon/common-variables.hcl`) are generated + from templates in `terraform-eks-deployment`. The eks-module files are fetched live from + a separate repo at a different, independently-advancing ref. A change to + `eks-karpenter/terragrunt.hcl` in `template-eks-cluster` that references a new variable + not yet present in `default-versions.hcl` will flow into new repos silently, producing + files that are internally inconsistent and will fail when terragrunt is run. + +- **Partial updates are possible.** PR #16's drift-detection update mode only re-commits + files whose content changed. A template update that touches `eks-karpenter/terragrunt.hcl` + but not `default-versions.hcl` could produce a cluster repo where those two files are + at different effective versions. + +- **Plan-time API coupling increases fragility.** Every `terraform plan` makes one GitHub + API call per eks-module file (currently 14 calls). If the GHE endpoint is slow or the + token lacks access, the plan fails regardless of whether the user intends to touch those + files. + +- **`REPO_BRANCH` pinning is undermined.** CodeBuild pins `terraform-eks-deployment` to a + tested commit via `REPO_BRANCH`. This guarantees a known, reproducible set of Terraform + logic and defaults. Pulling supporting files from a separately-versioned repo at runtime + breaks that reproducibility guarantee — the effective artifact being applied is no longer + fully described by a single commit. + +### Option B: Keep `template-eks-cluster` as a GitHub repo template (previous approach) + +Use the GitHub template feature to seed new repos with `eks-*/terragrunt.hcl` files and +then rename the placeholder paths via a post-apply script. + +**Rejected because:** + +- Placeholder paths (`environment/region/vpc/cluster/`) land in the generated repo and + cannot be easily renamed after the fact via standard Terraform resources. +- Requires an out-of-band post-apply step (script or `null_resource`) that runs outside + Terraform's state model. +- The template repo still diverges from `terraform-eks-deployment` over time (same + consistency problem as Option A). + +--- + +## Consequences + +**Positive:** + +- A single commit of `terraform-eks-deployment` fully describes all files that will be + written into a generated cluster repo. Pinning `REPO_BRANCH` in `buildspec.yml` is + sufficient to produce a fully reproducible, internally consistent artifact. +- When a new eks-module version or a new variable is added, a single PR to + `terraform-eks-deployment` updates both the `eks-*/terragrunt.hcl` template and the + corresponding `default-versions.hcl` template atomically. They cannot diverge. +- No live API calls at plan time for file content. Plan performance and reliability are + not affected by the availability of `template-eks-cluster`. +- The GitHub template feature (`template_repo`) is not used, removing a dependency on a + separately-maintained repo and on GitHub's template clone behavior. + +**Negative:** + +- `template-eks-cluster` and `terraform-eks-deployment/templates/eks-modules/` must be + kept manually in sync if humans use the template repo as a reference. Mitigation: add a + README to `template-eks-cluster` noting that it is no longer the automation source of + truth and pointing to `terraform-eks-deployment`. +- Adding a new eks-module requires a PR to `terraform-eks-deployment` rather than just + adding a directory to `template-eks-cluster`. This is the desired behavior — changes + go through review — but is a minor workflow difference. + +**Neutral:** + +- `template-eks-cluster` can be archived or retained as a human-readable reference. It + is not deleted because it may still be useful for onboarding documentation. +- The `data.github_repository_file` approach in PR #16 remains valid for a future + *update* workflow (deliberately syncing template changes into existing cluster repos), + as long as that workflow operates on the `templates/eks-modules/` copy in + `terraform-eks-deployment` rather than `template-eks-cluster:main`. diff --git a/examples/adsd-tools-dev/main.tf b/examples/adsd-tools-dev/main.tf new file mode 100644 index 0000000..be56914 --- /dev/null +++ b/examples/adsd-tools-dev/main.tf @@ -0,0 +1,48 @@ +provider "aws" { +} + +data "aws_secretsmanager_secret_version" "github_token" { + secret_id = "/eks-cluster-deployment/github_token" +} + +provider "github" { + token = data.aws_secretsmanager_secret_version.github_token.secret_string +} + +module "eks_deployment" { + source = "../../" + + # Repository and cluster configuration - single name for both + name = "adsd-tools-dev" + environment = "prod" + region = "us-gov-east-1" + + # Cluster configuration - simplified interface + cluster_config = { + account_name = "adsd-tools-nonprod-gov" + aws_account_id = "533109815932" + cluster_mailing_list = "adsd.enterprise.tools.support.branch.list@census.gov" + environment_abbr = "prod" + finops_project_name = "adsd_etdsb_tools_migration" + finops_project_number = "fs0000000069" + finops_project_role = "adsd_tools_mgrn_eks" + vpc_domain_name = "dev.adsd.csp1.census.gov" + vpc_name = "vpc3-inf-dev" + tags = { + Owner = "adsd.enterprise.tools.support.branch.list@census.gov" + Environment = "development" + CostCenter = "census:ocio:adsd" + } + organization = "census:ocio:adsd" + } +} + +output "repository_url" { + description = "URL of the created GitHub repository" + value = module.eks_deployment.repository_url +} + +output "ssh_clone_url" { + description = "SSH clone URL of the repository" + value = module.eks_deployment.ssh_clone_url +} diff --git a/examples/csvd-mcm-common/main.tf b/examples/csvd-mcm-common/main.tf new file mode 100644 index 0000000..c6b13fb --- /dev/null +++ b/examples/csvd-mcm-common/main.tf @@ -0,0 +1,48 @@ +provider "aws" { +} + +data "aws_secretsmanager_secret_version" "github_token" { + secret_id = "/eks-cluster-deployment/github_token" +} + +provider "github" { + token = data.aws_secretsmanager_secret_version.github_token.secret_string +} + +module "eks_deployment" { + source = "../../" + + # Repository and cluster configuration - single name for both + name = "csvd-mcm-common" + environment = "prod" + region = "us-gov-east-1" + + # Cluster configuration - simplified interface + cluster_config = { + account_name = "csvd-mcm-common" + aws_account_id = "220615867784" + cluster_mailing_list = "matthew.c.morgan@census.gov" + environment_abbr = "prod" + finops_project_name = "csvd_platformbaseline", + finops_project_number = "fs0000000078", + finops_project_role = "csvd_platformbaseline_app", + vpc_domain_name = "shared.inf.csp1.census.gov" + vpc_name = "vpc2-inf-shared" + tags = { + Owner = "matthew.c.morgan@census.gov" + Environment = "development" + CostCenter = "census:ocio:csvd" + } + organization = "census:ocio:csvd" + } +} + +output "repository_url" { + description = "URL of the created GitHub repository" + value = module.eks_deployment.repository_url +} + +output "ssh_clone_url" { + description = "SSH clone URL of the repository" + value = module.eks_deployment.ssh_clone_url +} diff --git a/main.tf b/main.tf index e28f430..27ab20f 100644 --- a/main.tf +++ b/main.tf @@ -121,14 +121,14 @@ locals { ) : file.path => file.content } - existing_managed_file_paths = !local.create_repository && local.update_source_branch != null ? toset([ + existing_managed_file_paths = ! local.create_repository && local.update_source_branch != null ? toset([ for entry in data.github_tree.update_source_branch_tree[0].entries : entry.path if entry.type == "blob" ]) : toset([]) managed_files_requiring_update = local.create_repository ? local.desired_managed_files_by_path : { for path, content in local.desired_managed_files_by_path : path => content - if !contains(local.existing_managed_file_paths, path) || data.github_repository_file.existing_managed_files[path].content != content + if ! contains(local.existing_managed_file_paths, path) || data.github_repository_file.existing_managed_files[path].content != content } has_update_changes = length(local.managed_files_requiring_update) > 0 @@ -140,7 +140,7 @@ locals { } data "github_repository" "existing_repo" { - count = !local.create_repository ? 1 : 0 + count = ! local.create_repository ? 1 : 0 full_name = "${var.organization}/${var.name}" } @@ -162,7 +162,7 @@ resource "terraform_data" "create_mode_guard" { lifecycle { precondition { - condition = !local.create_mode_repo_exists + condition = ! local.create_mode_repo_exists error_message = "repository_mode=\"create\" is set but repository \"${var.name}\" already exists in ${var.organization}. Switch to repository_mode=\"update\"." } } @@ -177,7 +177,7 @@ data "github_repository_file" "template_cluster_files" { } data "github_tree" "update_source_branch_tree" { - count = !local.create_repository && local.update_source_branch != null ? 1 : 0 + count = ! local.create_repository && local.update_source_branch != null ? 1 : 0 repository = var.name tree_sha = local.update_source_branch @@ -189,7 +189,7 @@ data "github_tree" "update_source_branch_tree" { } data "github_repository_file" "existing_managed_files" { - for_each = !local.create_repository ? { + for_each = ! local.create_repository ? { for path, content in local.desired_managed_files_by_path : path => content if contains(local.existing_managed_file_paths, path) } : {} @@ -199,6 +199,21 @@ data "github_repository_file" "existing_managed_files" { file = each.key } +locals { + # Base path prefix for all eks-module files in the generated repo + eks_module_cluster_prefix = "${var.environment}/${var.region}/${var.cluster_config.vpc_name}/${var.name}" + + # Auto-discover all files in templates/eks-modules/ and map them to their + # target paths in the generated repo. The naming convention converts + # "eks-karpenter.terragrunt.hcl" → "eks-karpenter/terragrunt.hcl" by + # splitting on the first dot. + eks_module_files = { + for fname in fileset("${path.module}/templates/eks-modules", "*") : + "${local.eks_module_cluster_prefix}/${join("/", regex("^([^.]+)\\.(.+)$", fname))}" => + file("${path.module}/templates/eks-modules/${fname}") + } +} + module "github_repo" { source = "../terraform-github-repo" diff --git a/templates/eks-modules/eks-arcgis.terragrunt.hcl b/templates/eks-modules/eks-arcgis.terragrunt.hcl new file mode 100644 index 0000000..38cf455 --- /dev/null +++ b/templates/eks-modules/eks-arcgis.terragrunt.hcl @@ -0,0 +1,86 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-ersi-arcgis.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.domain.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-kiali", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + namespace = "arcgis" + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + + # Dockerhub Creds + dockerhub_username = "" + dockerhub_password = "" + + # ArcGIS Config + ersi_image_tag = "11.4.0.6285" + arcgis_license_json = "" + arcgis_admin_username = "admin" + arcgis_admin_password = "password" + arcgis_admin_email = include.root.inputs.cluster_mailing_list + arcgis_admin_firstname = "admin" + arcgis_admin_lastname = "admin" + arcgis_security_question_index = 1 + arcgis_security_question_answer = "Las Vegas" +} diff --git a/templates/eks-modules/eks-cert-manager.terragrunt.hcl b/templates/eks-modules/eks-cert-manager.terragrunt.hcl new file mode 100644 index 0000000..569a355 --- /dev/null +++ b/templates/eks-modules/eks-cert-manager.terragrunt.hcl @@ -0,0 +1,70 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cert-mgr.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-karpenter", + "../eks-metrics-server", + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_version = include.root.inputs.cluster_version + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_mailing_list = include.root.inputs.cluster_mailing_list + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Cert Manager Configuration + cert_manager_helm_chart = include.root.inputs.cert_manager_helm_chart + cluster_issuer_name = include.root.inputs.cluster_issuer_name + namespace = include.root.inputs.namespaces["cert-manager"] + + # Version Tags + cert_manager_cainjector_tag = include.root.inputs.cert_manager_cainjector_tag + cert_manager_controller_tag = include.root.inputs.cert_manager_controller_tag + cert_manager_startupapicheck_tag = include.root.inputs.cert_manager_startupapicheck_tag + cert_manager_webhook_tag = include.root.inputs.cert_manager_webhook_tag +} diff --git a/templates/eks-modules/eks-config.terragrunt.hcl b/templates/eks-modules/eks-config.terragrunt.hcl new file mode 100644 index 0000000..5297ebb --- /dev/null +++ b/templates/eks-modules/eks-config.terragrunt.hcl @@ -0,0 +1,65 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-configuration.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = [{ data = "mock-cert-data" }] + eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + security_group_all_worker_mgmt_id = "sg-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + vpc_id = "vpc-mock" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-karpenter", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + subnets = dependency.eks.outputs.subnets + vpc_id = dependency.eks.outputs.vpc_id + operators_ns = include.root.inputs.operator_namespace + telemetry_ns = include.root.inputs.telemetry_namespace +} diff --git a/templates/eks-modules/eks-cribl.terragrunt.hcl b/templates/eks-modules/eks-cribl.terragrunt.hcl new file mode 100644 index 0000000..d18b180 --- /dev/null +++ b/templates/eks-modules/eks-cribl.terragrunt.hcl @@ -0,0 +1,90 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-cribl.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + cluster_certificate_authority_data = [{ data = "mock-cert-data" }] + eks_managed_node_groups_autoscaling_group_names = ["mock-asg-name"] + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + security_group_all_worker_mgmt_id = "sg-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + vpc_id = "vpc-mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-gatekeeper", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + eks_managed_node_groups_autoscaling_group_names = dependency.eks.outputs.eks_managed_node_groups_autoscaling_group_names + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + operators_ns = include.root.inputs.operator_namespace + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class + security_group_all_worker_mgmt_id = dependency.eks.outputs.security_group_all_worker_mgmt_id + subnets = dependency.eks.outputs.subnets + telemetry_ns = include.root.inputs.telemetry_namespace + vpc_id = dependency.eks.outputs.vpc_id + + # Cribl configs + cribl_tag = include.root.inputs.cribl_app_version + namespace = include.root.inputs.namespaces["cribl"] + service_name = "cribl-leader" +} diff --git a/templates/eks-modules/eks-dns.terragrunt.hcl b/templates/eks-modules/eks-dns.terragrunt.hcl new file mode 100644 index 0000000..983ab4f --- /dev/null +++ b/templates/eks-modules/eks-dns.terragrunt.hcl @@ -0,0 +1,71 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks-dns.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + subnets = ["subnet-mock1", "subnet-mock2", "subnet-mock3"] + } +} + +dependency "eks-istio" { + config_path = "../eks-istio" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + istio_ingress_lb = { + dns_name = "mock-${include.root.inputs.cluster_name}.elb.amazonaws.com" + zone_id = "MOCKZONEID" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-istio", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = include.root.inputs.cluster_name + environment_abbr = include.root.inputs.environment_abbr + + # Network Configuration + istio_ingress_lb = dependency.eks-istio.outputs.istio_ingress_lb + route53_endpoints = include.root.inputs.route53_endpoints + vpc_domain_name = include.root.inputs.vpc_domain_name + vpc_name = include.root.inputs.vpc_name + + # Additional Configuration + tags = include.root.inputs.tags +} diff --git a/templates/eks-modules/eks-gatekeeper.terragrunt.hcl b/templates/eks-modules/eks-gatekeeper.terragrunt.hcl new file mode 100644 index 0000000..360a4c3 --- /dev/null +++ b/templates/eks-modules/eks-gatekeeper.terragrunt.hcl @@ -0,0 +1,119 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-gatekeeper.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks_keycloak" { + config_path = "../eks-keycloak" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + user_auth_realm = "mock.keycloak.example.com/auth" + client_id = "mock-client-id" + client_secret = "mock-client-secret" + namespace = "keycloak" + user_secret = "user-sso" + } +} + +dependency "eks-grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "telemetry" + internal_endpoint = { + hostname = "kubernetes-dashboard.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kubernetes-dashboard.telemetry.svc.cluster.local:80/" + } + } +} + +dependency "eks-kiali" { + config_path = "../eks-kiali" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + namespace = "istio-system" + internal_endpoint = { + hostname = "kiali.telemetry.svc.cluster.local" + port_number = 80 + url = "http://kiali.telemetry.svc.cluster.local:80/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-keycloak", + "../eks-grafana", + "../eks-kiali", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Gatekeeper Standard Config + gatekeeper_chart_version = include.root.inputs.gatekeeper_chart_version + gatekeeper_tag = include.root.inputs.gatekeeper_tag + keycloak_client_id = dependency.eks_keycloak.outputs.client_id + keycloak_client_secret = dependency.eks_keycloak.outputs.client_secret + keycloak_fqdn = dependency.eks_keycloak.outputs.user_auth_realm + user_secret = dependency.eks_keycloak.outputs.user_secret + + # Grafana Gatekeeper Config + grafana_ns = dependency.eks-grafana.outputs.namespace + grafana_service_name = "grafana" + grafana_url = dependency.eks-grafana.outputs.internal_endpoint.url + + # Kaili Gatekeeper Config + kiali_ns = dependency.eks-kiali.outputs.namespace + kiali_service_name = "kiali" + kiali_url = dependency.eks-kiali.outputs.internal_endpoint.url +} diff --git a/templates/eks-modules/eks-grafana.terragrunt.hcl b/templates/eks-modules/eks-grafana.terragrunt.hcl new file mode 100644 index 0000000..07cc34d --- /dev/null +++ b/templates/eks-modules/eks-grafana.terragrunt.hcl @@ -0,0 +1,110 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-grafana.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.domain.example.com" + } +} + +dependency "eks_loki" { + config_path = "../eks-loki" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + gateway_internal_endpoint = { + url = "mock.loki.enpoint.example.com" + } + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus.mock.svc.cluster.local" + port_number = "80" + url = "https://prometheus.mock.svc.cluster.local:80/" + } + } +} + +dependency "eks_tempo" { + config_path = "../eks-tempo" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mocked" + tempo_internal_endpoint = { + url = "mock.tempo.enpoint.example.com" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + "../eks-loki", + "../eks-prometheus", + "../eks-tempo" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + cluster_domain = dependency.eks_dns.outputs.cluster_domain + + # Storage Configuration + rwo_storage_class = dependency.eks_loki.outputs.rwo_storage_class + + # Grafana Configuration + grafana_operator_chart_version = include.root.inputs.grafana_operator_chart_version + grafana_operator_tag = include.root.inputs.grafana_operator_tag + grafana_tag = include.root.inputs.grafana_tag + namespace = include.root.inputs.namespaces["grafana"] + os_shell_image_tag = include.root.inputs.os_shell_image_tag + service_name = "grafana" + loki_endpoint = dependency.eks_loki.outputs.gateway_internal_endpoint.url + prometheus_endpoint = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + tempo_endpoint = dependency.eks_tempo.outputs.tempo_internal_endpoint.url +} diff --git a/templates/eks-modules/eks-istio.terragrunt.hcl b/templates/eks-modules/eks-istio.terragrunt.hcl new file mode 100644 index 0000000..fadb1ae --- /dev/null +++ b/templates/eks-modules/eks-istio.terragrunt.hcl @@ -0,0 +1,54 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-istio.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks" + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + + # Istio Configuration + namespace = include.root.inputs.namespaces["istio"] + istio_version = include.root.inputs.istio_version + istio_chart_version = include.root.inputs.istio_version +} diff --git a/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl b/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl new file mode 100644 index 0000000..9527e5f --- /dev/null +++ b/templates/eks-modules/eks-k8s-dashboard.terragrunt.hcl @@ -0,0 +1,66 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-k8s-dashboard.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-dns", + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + + # Dashboard Configuration + service_name = include.root.inputs.dashboard_hostname + k8s_dashboard_version = include.root.inputs.k8s_dashboard_version + namespace = include.root.inputs.namespaces["k8s-dashboard"] +} diff --git a/templates/eks-modules/eks-karpenter.terragrunt.hcl b/templates/eks-modules/eks-karpenter.terragrunt.hcl new file mode 100644 index 0000000..fc8d924 --- /dev/null +++ b/templates/eks-modules/eks-karpenter.terragrunt.hcl @@ -0,0 +1,66 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-karpenter.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + cluster_endpoint = "https://mock-endpoint.eks.amazonaws.com" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + node_group_name = "mock-node-group" + vpc_id = "vpc-mock" + subnets = ["subnet-mock1", "subnet-mock2"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + eecr_info = include.root.inputs.eecr_info + + # Cluster Configuration + cluster_endpoint = dependency.eks.outputs.cluster_endpoint + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + vpc_id = dependency.eks.outputs.vpc_id + subnets = dependency.eks.outputs.subnets + + # Karpenter Configuration + karpenter_tag = include.root.inputs.karpenter_tag + karpenter_helm_chart = include.root.inputs.karpenter_helm_chart + karpenter_node_group_name = dependency.eks.outputs.node_group_name + namespace = include.root.inputs.namespaces["karpenter"] + create_spot_service_linked_role = false +} diff --git a/templates/eks-modules/eks-keycloak.terragrunt.hcl b/templates/eks-modules/eks-keycloak.terragrunt.hcl new file mode 100644 index 0000000..f17489e --- /dev/null +++ b/templates/eks-modules/eks-keycloak.terragrunt.hcl @@ -0,0 +1,78 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-keycloak.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-dns", + "../eks-prometheus", + ] +} + +inputs = { + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + eecr_info = include.root.inputs.eecr_info + namespace = include.root.inputs.namespaces["keycloak"] + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # keycloak config + default_storage_class = dependency.eks_config.outputs.rwo_storage_class + keycloak_chart_version = include.root.inputs.keycloak_chart_version + keycloak_tag = include.root.inputs.keycloak_tag + realm_email = include.root.inputs.cluster_mailing_list + realm_name = "master" + service_name = "keycloak" + telemetry_namespace = include.root.inputs.telemetry_namespace + admin_email = include.root.inputs.cluster_mailing_list + +} diff --git a/templates/eks-modules/eks-kiali.terragrunt.hcl b/templates/eks-modules/eks-kiali.terragrunt.hcl new file mode 100644 index 0000000..9d6d3bf --- /dev/null +++ b/templates/eks-modules/eks-kiali.terragrunt.hcl @@ -0,0 +1,131 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-kiali.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependency "eks_dns" { + config_path = "../eks-dns" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_domain = "mock.example.com" + } +} + +dependency "eks_grafana" { + config_path = "../eks-grafana" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + internal_endpoint = { + hostname = "grafana.mock.svc.cluster.local" + port_number = "80" + url = "https://grafana.mock.svc.cluster.local:80/" + } + namespace = "grafana" + secret_name = "grafana" + tempo_datasource_id = "mock-tempo-datasource-id" + } +} + +dependency "eks_prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_server_internal_endpoint = { + hostname = "prometheus.mock.svc.cluster.local" + port_number = "80" + url = "https://prometheus.mock.svc.cluster.local:80/" + } + } +} + +dependency "eks_tempo" { + config_path = "../eks-tempo" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + tempo_internal_endpoint = { + hostname = "tempo.mock.svc.cluster.local" + port_number = "80" + url = "https://tempo.mock.svc.cluster.local:80/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-grafana", + "../eks-istio", + "../eks-prometheus", + "../eks-tempo", + ] +} + + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_domain = dependency.eks_dns.outputs.cluster_domain + cluster_name = dependency.eks.outputs.cluster_name + certificate_issuer = include.root.inputs.cluster_issuer_name + + # Kiali Configuration + service_name = "kiali" + namespace = include.root.inputs.namespaces["kiali"] + istio_namespace = include.root.inputs.namespaces["istio"] + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + + kiali_application_version = include.root.inputs.kiali_application_version + kiali_operator_version = include.root.inputs.kiali_operator_version + + prometheus_internal_url = dependency.eks_prometheus.outputs.prometheus_server_internal_endpoint.url + grafana_namespace = dependency.eks_grafana.outputs.namespace + grafana_secret_name = dependency.eks_grafana.outputs.secret_name + grafana_internal_url = dependency.eks_grafana.outputs.internal_endpoint.url + tempo_datasource_id = dependency.eks_grafana.outputs.tempo_datasource_id + tempo_internal_url = dependency.eks_tempo.outputs.tempo_internal_endpoint.url +} diff --git a/templates/eks-modules/eks-loki.terragrunt.hcl b/templates/eks-modules/eks-loki.terragrunt.hcl new file mode 100644 index 0000000..724d853 --- /dev/null +++ b/templates/eks-modules/eks-loki.terragrunt.hcl @@ -0,0 +1,66 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-loki.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-mock" + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Loki Configuration + loki_chart_version = include.root.inputs.loki_chart_version + loki_tag = include.root.inputs.loki_tag + namespace = include.root.inputs.namespaces["loki"] + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class +} diff --git a/templates/eks-modules/eks-metrics-server.terragrunt.hcl b/templates/eks-modules/eks-metrics-server.terragrunt.hcl new file mode 100644 index 0000000..241bbc5 --- /dev/null +++ b/templates/eks-modules/eks-metrics-server.terragrunt.hcl @@ -0,0 +1,54 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-metrics-server.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = "mock-cluster" + } +} + +dependencies { + paths = [ + "../eks", + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + + # Metrics Server Configuration + metrics_server_helm_chart = include.root.inputs.metrics_server_helm_chart + metrics_server_tag = include.root.inputs.metrics_server_tag + namespace = include.root.inputs.namespaces["metrics-server"] +} diff --git a/templates/eks-modules/eks-otel.terragrunt.hcl b/templates/eks-modules/eks-otel.terragrunt.hcl new file mode 100644 index 0000000..a8a7d7c --- /dev/null +++ b/templates/eks-modules/eks-otel.terragrunt.hcl @@ -0,0 +1,85 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-open-telemetry.git?ref=${include.root.inputs.release_version}" + # source = "../../../../../../../tfmod-open-telemetry" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs = { + cluster_name = "a-cluster-name" + } +} + +dependency "eks-loki" { + config_path = "../eks-loki" + mock_outputs = { + gateway_internal_endpoint = { + hostname = "loki-gateway.mock.svc.cluster.local" + portNumber = 3210 + url = "http://loki-gateway.mock.svc.cluster.local:3210/" + } + } +} + +dependency "eks-tempo" { + config_path = "../eks-tempo" + mock_outputs = { + tempo_otlp_endpoint = { + hostname = "tempo.mock.svc.cluster.local" + portNumber = 1234 + url = "http://tempo.mock.svc.cluster.local:1234/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-loki", + "../eks-prometheus", + "../eks-tempo" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Clouster Config + cluster_name = dependency.eks.outputs.cluster_name + + # OTEL Configuration + namespace = include.root.inputs.namespaces["otel"] + loki_endpoint = dependency.eks-loki.outputs.gateway_internal_endpoint.url + tempo_endpoint = dependency.eks-tempo.outputs.tempo_otlp_endpoint.url + # Image Version + auto_instrumentation_java_version = include.root.inputs.auto_instrumentation_java_version + collector_contrib_version = include.root.inputs.collector_contrib_version + collector_version = include.root.inputs.collector_version + otel_helm_version = include.root.inputs.otel_helm_version + rbac_proxy_version = include.root.inputs.rbac_proxy_version +} diff --git a/templates/eks-modules/eks-pipeline.terragrunt.hcl b/templates/eks-modules/eks-pipeline.terragrunt.hcl new file mode 100644 index 0000000..8d705a7 --- /dev/null +++ b/templates/eks-modules/eks-pipeline.terragrunt.hcl @@ -0,0 +1,100 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled OR if running in CodeBuild (to avoid circular dependency) + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) || get_env("CODEBUILD_BUILD_ID", "") != "" + + artifact_bucket = format("%v%v-%v-%v-%v", + include.root.inputs.prefixes["eks-s3"], + include.root.inputs.cluster_name, + "artifacts", + include.root.inputs.aws_account_id, + join("", [for c in split("-", include.root.inputs.aws_region) : substr(c, 0, 1)])) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-pipeline.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + account_id = include.root.inputs.aws_account_id + cluster_name = include.root.inputs.cluster_name + environment = include.root.inputs.environment_abbr + region = include.root.inputs.aws_region + state_bucket_prefix = include.root.inputs.state_bucket_prefix + + # VPC Configuration + vpc_name = include.root.inputs.vpc_name + subnet_filter = "*-container-*" # or any specific pattern you want to use + + is_infrastructure_pipeline = true + + # Updated to use buildspecs from the platform-tg-infra repository + # made deploy-to-pipeline will update them from tfmod-pipeline module + buildspec_template_path = "buildspecs" + + build_configuration = { + compute_type = "BUILD_GENERAL1_LARGE" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" + buildspec_path = "build.yml" + privileged_mode = true + environment_variables = { + ARTIFACT_BUCKET = local.artifact_bucket + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" + } + } + + security_scan_configuration = { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" + buildspec_path = "security.yml" + environment_variables = { + ARTIFACT_BUCKET = local.artifact_bucket + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" + } + } + + approval_configuration = { + enabled = true + notify_emails = [include.root.inputs.cluster_mailing_list] + custom_message = "Please review and approve infrastructure changes to the CSVD platform" + } + + deployment_configuration = { + target_type = "Build" + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/amazonlinux-x86_64-standard:5.0" + buildspec_path = "deploy.yml" + environment_variables = { + ARTIFACT_BUCKET = local.artifact_bucket + TERRAGRUNT_PATH = "lab/${include.root.inputs.environment}/${include.root.inputs.aws_region}/vpc/${include.root.inputs.cluster_name}" + REGION = include.root.inputs.aws_region + ENVIRONMENT = include.root.inputs.environment_abbr + AWS_ACCOUNT_ID = include.root.inputs.aws_account_id + PROXY_CONFIG = "http://vlab-proxy.tco.census.gov:3128" + } + } +} diff --git a/templates/eks-modules/eks-prometheus.README.md b/templates/eks-modules/eks-prometheus.README.md new file mode 100644 index 0000000..bbbffb2 --- /dev/null +++ b/templates/eks-modules/eks-prometheus.README.md @@ -0,0 +1,198 @@ +## eks-prometheus +This module deploys EKS kubeenetes prometheus inside existing EKS cluster. Prometheus is an open-source systems monitoring and alerting tool. +This module consisits of 4 components. It creates prometheus namespace and copies image repositories for the following components from quay.io into local account ECR repository. It deploys these components using helm charts using the configured ECR repositories. + 1. prometheus-alert-manager + 2. prometheus-node-exporter + 3. prometheus-pushgateway + 4. prometheus-server + +### Dependencies +This module is dependent on EKS module (eks). The cluster should exist already for this module to work. + +### Inputs + cluster_name + profile + prometheus_chart_version + prometheus_server_tag + prometheus_config_reloader_tag + alertmanager_tag + kube_state_metrics_tag + node_exporter_tag + pushgateway_tag + rwo_storage_class + +### Outputs + alertmanager_internal_endpoint + alertmanager_headless_internal_endpoint + pushgateway_internal_endpoint + prometheus_server_internal_endpoint + +### Issues observed/fixed +1. The rwo_storage_class value had to be updated from "gp3" to "gp3-encrypted" +2. The node_exporter_tag value had to be updated from "1.6.1" to "v1.8.1" +3. The kube_state_metrics_tag value had to be updated from "2.10.0" to "v2.6.0" +4. The alertmanager_tag value had to be updated from +5. The helm chart set config for the ecr image had to be split into 2 components, one for registry and other for repository as an example mentioned below: + + ``` + set { + name = "kube-state-metrics.image.registry" + value = module.images.images[local.ksm_key].dest_registry + } + set { + name = "kube-state-metrics.image.repository" + value = module.images.images[local.ksm_key].dest_repository + } + ``` + +6. In some other cases the image ecr repository had to be split by the colon separatory (:) + + ``` + set { + name = "alertmanager.configmapReload.image.repository" + value = split(":", module.images.images[local.prom_config_reload_key].dest_full_path)[0] + } + ``` + +### Chart Notes + 1. Get the application URL by running these commands: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-pushgateway,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") + kubectl port-forward $POD_NAME 9091 + echo "Visit http://127.0.0.1:9091 to use your application" + ``` + + The Prometheus server can be accessed via port 80 on the following DNS name from within your cluster: + prometheus-server.prometheus.svc.cluster.local + + + Get the Prometheus server URL by running these commands in the same shell: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace prometheus port-forward $POD_NAME 9090 + ``` + + The Prometheus alertmanager can be accessed via port 9093 on the following DNS name from within your cluster: + `prometheus-alertmanager.prometheus.svc.cluster.local` + + + Get the Alertmanager URL by running these commands in the same shell: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace prometheus port-forward $POD_NAME 9093 + ``` + + ################################################################################# + ###### WARNING: Pod Security Policy has been disabled by default since ##### + ###### it deprecated after k8s 1.25+. use ##### + ###### (index .Values "prometheus-node-exporter" "rbac" ##### + ###### "pspEnabled") with (index .Values ##### + ###### "prometheus-node-exporter" "rbac" "pspAnnotations") ##### + ###### in case you still need it. ##### + ################################################################################# + + + The Prometheus PushGateway can be accessed via port 9091 on the following DNS name from within your cluster: + `prometheus-prometheus-pushgateway.prometheus.svc.cluster.local` + + + Get the PushGateway URL by running these commands in the same shell: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus-pushgateway,component=pushgateway" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace prometheus port-forward $POD_NAME 9091 + ``` + + For more information on running Prometheus, visit: + https://prometheus.io/ + + kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. + The exposed metrics can be found here: + https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics + + The metrics are exported on the HTTP endpoint /metrics on the listening port. + In your case, `prometheus-kube-state-metrics.prometheus.svc.cluster.local:8080/metrics` + + They are served either as plaintext or protobuf depending on the Accept header. + They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. + + 1. Get the application URL by running these commands: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=alertmanager,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:9093 to use your application" + kubectl --namespace prometheus port-forward $POD_NAME 9093:80 + ``` + + 1. Get the application URL by running these commands: + + ```bash + export POD_NAME=$(kubectl get pods --namespace prometheus -l "app.kubernetes.io/name=prometheus-node-exporter,app.kubernetes.io/instance=prometheus" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:9100 to use your application" + kubectl port-forward --namespace prometheus $POD_NAME 9100 + ``` + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 5.14.0 | +| [helm](#requirement\_helm) | >= 2.11.0 | +| [kubernetes](#requirement\_kubernetes) | >= 2.23.0 | +| [null](#requirement\_null) | >= 3.2.1 | + +## Providers + +| Name | Version | +|------|---------| +| [helm](#provider\_helm) | >= 2.11.0 | +| [kubernetes](#provider\_kubernetes) | >= 2.23.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [images](#module\_images) | git@github.e.it.census.gov:terraform-modules/aws-ecr-copy-images.git/ | tf-upgrade | + +## Resources + +| Name | Type | +|------|------| +| [helm_release.prometheus](https://registry.terraform.io/providers/hashicorp/helm/latest/docs/resources/release) | resource | +| [kubernetes_namespace.ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource | +| [kubernetes_namespace.existing-ns](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/data-sources/namespace) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alertmanager\_tag](#input\_alertmanager\_tag) | The image tag of the alertmanager image. | `string` | `"v0.27.0"` | no | +| [cluster\_name](#input\_cluster\_name) | The name of the cluster into which prometheus will be installed. | `string` | n/a | yes | +| [create\_namespace](#input\_create\_namespace) | Indicates whether the `namespace` needs to be created ('true') or already exists (not `true`) | `bool` | `true` | no | +| [kube\_state\_metrics\_tag](#input\_kube\_state\_metrics\_tag) | The image tag of the kube-state-metrics image. | `string` | `"v2.13.0"` | no | +| [namespace](#input\_namespace) | The namespace to install the prometheus components. Defaults to 'prometheus' | `string` | `"prometheus"` | no | +| [node\_exporter\_tag](#input\_node\_exporter\_tag) | The image tag of the node-exporter image. | `string` | `"v1.8.2"` | no | +| [profile](#input\_profile) | AWS\_PROFILE to use to apply the terraform script. | `string` | `""` | no | +| [prometheus\_chart\_version](#input\_prometheus\_chart\_version) | The version of prometheus to install into the cluster. | `string` | `"25.24.1"` | no | +| [prometheus\_config\_reloader\_tag](#input\_prometheus\_config\_reloader\_tag) | The image tag of the prometheus-config-reloader image. | `string` | `"v0.75.1"` | no | +| [prometheus\_server\_tag](#input\_prometheus\_server\_tag) | The image tag of prometheus server to install into the cluster. | `string` | `"v2.53.1"` | no | +| [pushgateway\_tag](#input\_pushgateway\_tag) | The image tag of the pushgateway image. | `string` | `"v1.9.0"` | no | +| [rwo\_storage\_class](#input\_rwo\_storage\_class) | Specify the storage class for read/write/once persistent volumes. | `string` | `"gp3-encrypted"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [alertmanager\_headless\_internal\_endpoint](#output\_alertmanager\_headless\_internal\_endpoint) | n/a | +| [alertmanager\_internal\_endpoint](#output\_alertmanager\_internal\_endpoint) | n/a | +| [module\_name](#output\_module\_name) | The name of this module. | +| [module\_version](#output\_module\_version) | The version of this module. | +| [prometheus\_namespace](#output\_prometheus\_namespace) | n/a | +| [prometheus\_server\_internal\_endpoint](#output\_prometheus\_server\_internal\_endpoint) | n/a | +| [pushgateway\_internal\_endpoint](#output\_pushgateway\_internal\_endpoint) | n/a | + diff --git a/templates/eks-modules/eks-prometheus.terragrunt.hcl b/templates/eks-modules/eks-prometheus.terragrunt.hcl new file mode 100644 index 0000000..f968797 --- /dev/null +++ b/templates/eks-modules/eks-prometheus.terragrunt.hcl @@ -0,0 +1,70 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-prometheus.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependencies { + paths = [ + "../eks", + "../eks-config", + "../eks-karpenter", + ] +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks_config" { + config_path = "../eks-config" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + rwo_storage_class = "gp3-encyrpted" + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + alertmanager_tag = include.root.inputs.alertmanager_tag + namespace = include.root.inputs.namespaces["prometheus"] + prometheus_chart_version = include.root.inputs.prometheus_chart_version + prometheus_config_reloader_tag = include.root.inputs.prometheus_config_reloader_tag + prometheus_server_tag = include.root.inputs.prometheus_server_tag + pushgateway_tag = include.root.inputs.pushgateway_tag + rwo_storage_class = dependency.eks_config.outputs.rwo_storage_class +} diff --git a/templates/eks-modules/eks-tempo.terragrunt.hcl b/templates/eks-modules/eks-tempo.terragrunt.hcl new file mode 100644 index 0000000..71dd0a1 --- /dev/null +++ b/templates/eks-modules/eks-tempo.terragrunt.hcl @@ -0,0 +1,75 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-tempo.git?ref=${include.root.inputs.release_version}" + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +dependency "eks" { + config_path = "../eks" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + cluster_name = include.root.inputs.cluster_name + oidc_provider_arn = "arn:aws-us-gov:iam::123456789012:oidc-provider/mock" + } +} + +dependency "eks-prometheus" { + config_path = "../eks-prometheus" + mock_outputs_allowed_terraform_commands = ["init", "plan", "validate", "destroy"] + mock_outputs = { + prometheus_namespace = "prometheus" + prometheus_server_internal_endpoint = { + hostname = "prometheus-server.mock.svc.cluster.local" + port_number = 9090 + url = "http://prometheus-server.mock.svc.cluster.local:9090/" + } + } +} + +dependencies { + paths = [ + "../eks", + "../eks-prometheus" + ] +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + eecr_info = include.root.inputs.eecr_info + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Cluster Configuration + cluster_name = dependency.eks.outputs.cluster_name + oidc_provider_arn = dependency.eks.outputs.oidc_provider_arn + + # Prometheus Configuration + prometheus_namespace = dependency.eks-prometheus.outputs.prometheus_namespace + prometheus_port = dependency.eks-prometheus.outputs.prometheus_server_internal_endpoint.port_number + + # Tempo Configuration + tempo_chart_version = include.root.inputs.tempo_chart_version + tempo_tag = include.root.inputs.tempo_tag + namespace = include.root.inputs.namespaces["tempo"] + +} diff --git a/templates/eks-modules/eks.terragrunt.hcl b/templates/eks-modules/eks.terragrunt.hcl new file mode 100644 index 0000000..fd3787a --- /dev/null +++ b/templates/eks-modules/eks.terragrunt.hcl @@ -0,0 +1,43 @@ +include "root" { + path = find_in_parent_folders("root.hcl") + merge_strategy = "deep" + expose = true +} + +locals { + # Skip this module if disabled + skip = !lookup(include.root.locals.is_module_enabled, basename(get_terragrunt_dir()), true) +} + +exclude { + if = local.skip + actions = ["all_except_output"] + exclude_dependencies = false +} + +terraform { + source = "git@github.e.it.census.gov:SCT-Engineering/tfmod-eks.git?ref=${include.root.inputs.release_version}" + + extra_arguments "retry_lock" { + commands = get_terraform_commands_that_need_locking() + arguments = ["-lock-timeout=20s"] + } +} + +inputs = { + # AWS Configuration + account_id = include.root.inputs.aws_account_id + profile = include.root.inputs.aws_profile + region = include.root.inputs.aws_region + + # Core Cluster Configuration + cluster_name = include.root.inputs.cluster_name + cluster_version = include.root.inputs.cluster_version + eks_ng_desired_size = include.root.inputs.eks_ng_desired_size + eks_ng_max_size = include.root.inputs.eks_ng_max_size + eks_ng_min_size = include.root.inputs.eks_ng_min_size + eks_instance_types = ["t3a.large"] + + # Additional Configuration + tags = include.root.inputs.tags +} diff --git a/variables.tf b/variables.tf index 6f27c73..8e93d32 100644 --- a/variables.tf +++ b/variables.tf @@ -212,15 +212,15 @@ variable "namespaces" { variable "enable_modules" { description = "Map of modules to enable (internal use)" type = object({ - gatekeeper = optional(bool, false) - grafana = optional(bool, false) - otel = optional(bool, false) - prometheus = optional(bool, false) - tempo = optional(bool, false) - loki = optional(bool, false) - kiali = optional(bool, false) - keycloak = optional(bool, false) - cribl = optional(bool, false) + gatekeeper = optional(bool, false) + grafana = optional(bool, false) + otel = optional(bool, false) + prometheus = optional(bool, false) + tempo = optional(bool, false) + loki = optional(bool, false) + kiali = optional(bool, false) + keycloak = optional(bool, false) + cribl = optional(bool, false) }) default = {} }